Adware & Task Manager...

Windows XP Home, SP1, Adaware & Spybot (updated), Norton Antivirus 2002 w/ updated definitions, Sygate Personal Firewall...

to make a long story short, i was google image searching a band and got redirected to a site that hit me up with a crap load of adware programs... after much panicking and numerous scans with Spybot, Adaware, Panda Active Scan, and Spy Sweeper (which helped greatly), i notice there are still some weird processes running in my Task Manager that i clearly do not recognize... i also tried booting into safe mode and running Spy Sweeper again but it does not detect anything else...

I do not know where these processes specifically came from, but as i've mentioned, i run just about everything... my browser was never hijacked, my Add/Remove programs is clear of anything strange/suspicious, all that remains to be resolved (as far as i can tell) are these running processes...

i've tried to check these processes on www.answersthatwork.com under their Task List section but cannot find them... any help will be greatly appreciated... i'm confident you fellow geeks will help m resolve this issue =]


i've attached a pic of my Task Manager:

 

i'm guessing i might need to download Hijack This???

 

That 1st one (wintit.exe) is from PurityScan, info here:
http://www.kephyr.com/spywarescanner/library/purityscan.c/index.phtml

I've got to go, but that should get you started.

#2,3,4 look suspicious too, HJT is probably a good idea...

 

okay i'm going to d/l and post the log, hope u guys dont mind analyzing it for me, i know that it's tedious and somewhat annoying but i tried all other means for removing these little nasties....

okay here it is, doesn't look too long:

Logfile of HijackThis v1.97.7
Scan saved at 12:52:43 PM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\documents and settings\mike craca\local settings\temp\p5psv.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\bidhupnp.exe
C:\WINDOWS\System32\wintit.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.falcon-nw.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [p5psv.exe] C:\documents and settings\mike craca\local settings\temp\p5psv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5FrU3sP] bidhupnp.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...beta/vet_install_popup.pl?0&4&unknown&unknown
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.535
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks again

btw, i found those shady processes in msconfig (startup tab), and disabled them, they do not run upon boot anymore but i'm hoping that i'll be able to get rid of them completley once i get the feedback on my Hijack This log

 

Hi Mike
start->run msconfig
in general tab select diagnostic start up.
Restart run antivirs all those...
run hijack this and cwshreddar
ater that reset all ur internet settings
the update your windows or uninstall MS java......
that should do it man
Iv been fixin mine for 2 weeks until I finally updated windows
but you have to get rid of things first to

 

This stuff needs to be fixed in HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
O4 - HKLM\..\Run: [p5psv.exe] C:\documents and settings\mike craca\local settings\temp\p5psv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5FrU3sP] bidhupnp.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...unknown&unknown
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

Then reboot to Safe Mode and delete the files in those 04 lines.

 

thanks so much for the help Alanc... i was able to delete 3 of the 4 04 install files after booting in Safe Mode... the p5psv.exe one is no where to be found, so i went into the folder (not in safe mode), set it to show hidden files, and was able to locate and delete it... i saw some other shady exe files in that folder... i was reading about one of hte files on another tech support forum and someone recommended this:

"in safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents."

is this something i should do?


2 questions still loom:

1) I have this PGate Basic application listed in my Add/Remove programs... i know it is bad news and i know it came with everything else... but trying to remove it pops up an internet explorer window and i believe it's asking me to download a program to uninstall it which i know often just gives you more adware...

http://img59.photobucket.com/albums/v180/ANHEDONIC/PGateBasic.jpg

2) Would you recommend that I run a registry cleaner after all this business is cleared up... I was planning on running Reg Cleaner to patch up any problems caused by this recent adware attack and also to remove those miscellaneous startup entries that those shady processes left...

 

1) Someone in another thread awhile ago had this same thing and he reported that the uninstaller worked for him:
http://www.majorgeeks.com/vb/showthread.php?t=30524&highlight=pgate
I'd take a chance and try it.

2) Yes! It's always a good idea to run a reg cleaner after removing junk from your system. And RegCleaner specifically has a feature to delete orphaned Add/Remove entries.

I agree about the p5psv.exe file and those suspicious looking temp .exe files

Don't forget to go thru the manual removal instructions in the above link about PurityScan...

 

k thanks... the PGate program was removed with the uninstaller... i followed the removal instructions for Purity and in regedit there were no values under the specified path so i'm guessing the spyware programs zapped it...

and about agreeing about the Temp folder, i'm guessing you're saying it's Safe to delete the contents of that folder?

also, i ran RegCleaner and Erunt... those disabled startup items (from those nasty processes) are still visible in the Startup Tab when using Msconfig, even though they are not selected... i know i ran a registry cleaner in the past that removed these miscellaneous items... can Reg Cleaner do this? am i missing something?

 

Yes delete what's in the Temp folder, the newest files may be locked but that's normal.

In msconfig, put a check mark next to the startup items you want to delete (wintit, dp-him, p5psv, bidhupnp), this will free those keys to be cleaned/deleted.
Exit msconfig, don't reboot.

Run RegCleaner and clean the registry (Tools > Registry Cleanup > Do them all), then go to Uninstall Menu, select the items you want removed from Add/Remove and click Remove Selected.

Look in msconfig to verify those 4 items are gone.


How long have updmgr.exe and pcsvc.exe been there? They're also adware, they weren't in your HJT log...

 

ahh alanc when i opened Kazaa Lite i got hit again with teh CoolSearch... i'm going to run all the spyware programs and post my Hijack This log again, plz bare with me =[

those things weren't there for long at all... my computer was completely spyware free up until 2 days ago when i got directed to that nasty site =\

 

here's the latest log after having run Adaware, Spybot, and Spy Sweeper again... i also deleted my windows/temp folder and deleted temporary internet folders:

Logfile of HijackThis v1.97.7
Scan saved at 2:45:01 AM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.535
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

----------------------------------------------------------
Purity Scan seems to be a problem... that link you gave me to the kephyr site, says for uninstall "Uninstall procedure Please read the uninstall instructions from the vendor." and then provides this link to the site: http://www.purityscan.com/uninstall.html , do u think i should give this uninstaller a shot if kephyr links me to it, or could it possibly contain more crap?

i'm waiting to run the Regcleaner again after i can delete all this spyware junk, so i will follow your advice from the previous post then... thanks again for your patience alanc

 

Before I dive into this log, have you re-enabled everything in msconfig?

If yes let me know, if not do that, exit msconfig and run HJT again and post the new log.

Let me check out that PurityScan uninstaller...

 

It would probably be safer to follow the Manual Removal instructions at that link.

 

I don't see that PurityScan file (wintit.exe) anymore in your log, maybe you got it all.

Close everything but HJT, but a check by these lines and click Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

If you don't recognize this site fix there too:
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.26/Hiwire.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab

Also, make sure you use the Immunize feature of Spybot, that and SpywareBlaster will prevent a lot of things from being installed in the 1st place.

 

so you want me to recheck all those nasty processes that run in startup (via msconfig) and then run Hijack This and post the log again? should i restart the comp so that those processes are running before running HT?

alot of the items in msconfig are nonexistent because i was able to delete the folders after running the spyware scans

 

Go ahead and do what I've posted so far
then reboot
then in msconfig go to Startup and Enable All
exit msconfig (don't restart)
run RegCleaner and do the 'clean them all' thing
run HJT and post the log

msconfig keeps disabled startup items in a different place in the registry than where HJT looks, that's why you need to enable them all, but they don't need to be running.

 

okay first i fixed the ones you mentioned above, enabled all in msconfig w/o rebooting, and here is the new Hijack This Log:

Logfile of HijackThis v1.97.7
Scan saved at 4:39:23 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [p5psv.exe] C:\documents and settings\mike craca\local settings\temp\p5psv.exe
O4 - HKLM\..\Run: [G.exe] c:\documents and settings\mike craca\local settings\temp\G.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [5FrU3sP] rtuntutl.exe
O4 - HKLM\..\Run: [2YD37BC44Z4SCA] C:\WINDOWS\System32\BzfYe.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Welw] C:\Documents and Settings\Mike Craca\Application Data\atpd.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.535
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thank u

 

Close all programs but HJT and fix these lines:
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe ***
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe ***
O4 - HKLM\..\Run: [p5psv.exe] C:\documents and settings\mike craca\local settings\temp\p5psv.exe
O4 - HKLM\..\Run: [G.exe] c:\documents and settings\mike craca\local settings\temp\G.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe ***
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe ***
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" ***
O4 - HKLM\..\Run: [5FrU3sP] rtuntutl.exe
O4 - HKLM\..\Run: [2YD37BC44Z4SCA] C:\WINDOWS\System32\BzfYe.exe
O4 - HKCU\..\Run: [Welw] C:\Documents and Settings\Mike Craca\Application Data\atpd.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe ***
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q ***

Then reboot to Safe Mode and delete the folders that I put the *** after (if they exist), -and- all the files in this folder: c:\documents and settings\mike craca\local settings\temp.

Reboot normally and hopefully *crosses fingers* you should be OK

 

okay alan, i did what you asked... i also downloaded and ran spyware blaster and updated it so hopefully that'll help some of these little nasties from coming back...


is msconfig i selected all again and here is the new Hijack This Log:

Logfile of HijackThis v1.97.7
Scan saved at 3:00:42 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [2YD37BC44Z4SCA] C:\WINDOWS\System32\BzfYe.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.535
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

---------------------------------------

also, i've set SpywareBlaster to block all those active X scripts... how can i be sure that Spyware blaster is running everytime i boot, isn't that what it has to do in order to protect me? i was searching the program for options to boot when windows starts but didn't see any...

and this file does not exist at the specified location: O4 - HKLM\..\Run: [2YD37BC44Z4SCA] C:\WINDOWS\System32\BzfYe.exe... i manually searched for it and also did a windows Search for the exe file and it's no where to be found... so hopefully that line will disappear from my startup once i run the Regcleaner a little later...

and thanks again for your patience...

 

Hi Midget just seen this thread for the first time
looks like you have had a right old time of it

I dont use Spyware blaster so hopefully some else will help you out on that side, but i just looked over your log and see this is still there(ALAN spotted it earlier)
O4 - HKLM\..\Run: [2YD37BC44Z4SCA] C:\WINDOWS\System32\BzfYe.exe

Guess you need to fix this again, then reboot into safe mode and delete it,as its in your system32 folder you will have to show hidden files and folders to get at it

EDIT: Didnt see your edit LOL

 

Agreed with the General, except for that one line you look clean.

SpywareBlaster doesn't have to load at boot to protect you, it modifies registry settings to prevent loading of evil ActiveX stuff. Just update it once a week and enable protection for the new items and you're good to go.

 

Thanks Alan hope you didnt mind me stepping in (i gave you a namecheck in my post ) but i saw you werent about so thought id help out

Midget edited his post while i was replying though

 

No problem at all, the more eyes looking at these HJT logs the better

 

thanks guys... i cannot express how much i appreciate your tech help... i'm still venting over this whole situation... having been reading this site for awhile, i thought i was pretty well protected (having an updated AV, firewall, spybot + adaware, popup blocker etc etc), and then one little site screws me over =\ i was spyware and pc problem free for a LONG TIME

anyhow... i went into System32, enabled hidden files, and found the bzxxxx.exe file and deleted it... rebooted, and my msconfig startup and my system processes in taskmanager look clean

alanc i'm going to open up Regcleaner again and run those cleaning processes that you recommended all of 'em)... theoretically those cleaning processes shouldn't mess up anything w/ my registry correct? im guessing if it does there is some sort of restore or backup log to recorrect it?

 

RegCleaner automagically makes backups of whatever it cleans in case anything breaks, but I've never had a problem with it.

RegSupreme and RegSeeker (here) are also great cleaners, the former being well worth the $13, IMO.